[IP] more on compromised ad servers?
Begin forwarded message:
From: Dan Updegrove <updegrove@xxxxxxxxxxxxxxx>
Date: August 26, 2005 8:32:25 AM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] compromised ad servers?
Dave & Dave,
According to our Information Security Office, these are known as
droppers and are widely used by IRC/Web bots. They are the precursor
to the actual trojan, etc. that will eventually be installed on the
machine if the dropper is downloaded..
Droppers tend to utilize e-mail/IM as their initial attack vector
(e.g., click on my funny vacation pics site, doh), however, you can
also nav to a "dirty" site and be handed the dropper as well.
The droppers are oftentimes one-offs and aren't normally detected by
most AVware. Once the dropper is installed, it really doesn't matter
all that much what your patch level might be, etc. If a keylogger
needs to be installed it will; if a command&control mechanism needs
to be installed it will, etc, etc..
This is a widespread problem that has been going on since the
firstmajor IMworm released (at least 8-9mos ago), likely much
earlier. IDS does a decent job of detecting these, but the IRC/Web
botnets are typically small and quite dynamic. One problem with
dropper detection, however, is that more and more droppers are being
built into .png and .jpg files and can be very hard to detect on
networks with large flows.
Just for perspective, here are a few of the droppers identified by
our ISO for a single day this week (links are broken, and most are
already dead):
http:/ 165.246.151.191 /link/.serasa/cartao.scr
http:/ 67.43.156.75 /~master/s.exe
http:/ 67.43.156.75 /~zs/embratel/SegundaVia.scr
http:/ coracao002.tripod.com.br /cartao.zip
http:/ cretzu.idilis.ro /postcard19832.jpg.exe
http:/ delta.isnx.org /~line/piada.exe
http:/ file01.atspace.com /cartao.exe
http:/ firebirdll.atspace.com /birdmess.exe
http:/ firebirdll.atspace.com /cartao.exe
http:/ galeon.hispavista.com /paravidio/zip/veja.zip
http:/ hometown.aol.co.uk /carataohumortad/humocard.exe
http:/ hometown.aol.co.uk /cliqeveja/cartaomusical.exe
http:/ hometown.aol.co.uk /guguchiba/gucgi.exe
http:/ hometown.aol.co.uk /humortcard/vejaocartao.exe
http:/ hometown.aol.co.uk /newcardeshumor/-ww.humortandelacard.exe
http:/ hometown.aol.co.uk /noisnafitas/kusent.exe
http:/ hometown.aol.co.uk /terraelindo/Cartao_Terra.exe
http:/ hometown.aol.co.uk /vidaepaixao/ursinho.exe
http:/ hometown.aol.co.uk /virtualcuseta/kusent.exe
http:/ hometown.aol.co.uk /visubird/birdnetphp.exe
http:/ hometown.aol.co.uk /voxcards 0nn/Voxcads.exe
http:/ justforme.bestdeals.at /Cartao01.exe
http:/ justforme.bestdeals.at /SoVoce.exe
http:/ manchoo.net
/zboard/include/.bash_history/.../cartao0512863526.scr
http:/ net-gurl.com
/cartaovoxcardsFYT31V4IKFD03C1HG381W3948X3Y3V3.exe
http:/ perso.wanadoo.es /terracartoes/terracartoes.exe
http:/ uol.atspace.com /uol_gif.exe
http:/ uolmesseger.atspace.com /uolmsns_gif.exe
http:/ -ww.buffetbrunochele.com.br /.imagem/amigo.exe
http:/ -ww.ffms.info /amigo.scr
http:/ -ww.ffms.info /amor0022.scr
http:/ -ww.fkahec.org /images/CartaoVirtual22082005.scr
http:/ -ww.foroswebgratis.com /fotos/1/6/6/0/1//47945Charges.exe
http:/ -ww.foroswebgratis.com /fotos/1/6/6/0/1//48448Charges.exe
http:/ -ww.gulg.de //herbi/pic/redirect-photos-security.scr
http:/ -ww.noti-auto.com.ar /cartaodecarol.scr
http:/ -ww.zander-yachting.com /images/CoceiraNoToba.scr
http:/ 68.178.159.101 /edinandoadvogado/update.exe
http:/ 69.6.215.172 /yahoocards/JRE348Z334FR1.com
http:/ 80.254.167.42:8080 /productions/wonargo/theman/home.p
http:/ banners.topcities.com /popup.html
http:/ discforum.com /urgente.exe
http:/ firebirdll.100free.com /Cartao.exe
http:/ furions.atspace.us /videoslegais.exe
http:/ humortadellaa.com /piadaanimada.scr
http:/ musicalcards.pass.as:8080 /card05021.exe
http:/ no.comunidades.net /myfrend1000/galeria/parabenscard.exe
http:/ post-cardz.com?017312068 /
http:/ post-cardz.com?017312068&037052 /
http:/ post-cardz.com?044656393 /
http:/ post-cardz.com?044656393&434434 /
http:/ post-cardz.com?1065876065 /
http:/ post-cardz.com?1065876065&638413413 /
http:/ post-cardz.com?1080970646 /
http:/ post-cardz.com?1080970646&0656993 /
http:/ post-cardz.com?1135007883 /
http:/ post-cardz.com?1135007883&9249792 /
http:/ post-cardz.com?1184778504 /
http:/ post-cardz.com?1184778504&53099807 /
http:/ post-cardz.com?1243279010 /
http:/ post-cardz.com?1243279010&085662 /
http:/ post-cardz.com?1293266135 /
http:/ post-cardz.com?1293266135&4922135 /
http:/ post-cardz.com?1368769901 /
http:/ post-cardz.com?1368769901&270989739 /
http:/ post-cardz.com?1371339574 /
http:/ post-cardz.com?1371339574&26922022 /
http:/ -ww.home.ro /common/boom.phtml
http:/ -ww.home.ro /common/trafic.phtml
http:/ -ww.voxvoxcards.1br.net /
http:/ -ww.web-a-photo.com /Resellers.exe
At 06:17 AM 8/26/2005, you wrote:
I got piles and piles of that djf
Begin forwarded message:
From: Dave Wilson <dave@xxxxxxxxxx>
Date: August 25, 2005 6:59:40 PM EDT
To: dave@xxxxxxxxxx
Subject: compromised ad servers?
I visited a mainstream Web site Wednesday and an infected ad server
apparently pushed down a bit of malware, asdf.exe. The file was
extremely small -- less than 1.6 K -- and appeared to be trying to
install some more complex bit of malware, presumably a keylogger.
What fascinated me was that this occured on a box with all standard
security measures in place: Windows XP system (all critical patches
installed) using Mozilla Firefox 1.0.6 (latest version, "Allow Web
sites to install software" unchecked) and running Norton Antivirus
and Norton Firewall, also current and updated. Norton AV didn't even
recognize this thing as malovolent; I noticed it after it was inside
at c:\asdf.exe clawing frantically at my firewall trying to get back
out.. Even more amusing, I didn't actually do anything: Didn't click
on an advertisement, close a Windows, etc. One Web site that was
apparently serving up infected ads was The Onion (London's Observer
had a simlar problem last year). Because this malware is passed along
through a compromised ad server, not every visitor will get hit,
since the ads rotate each time the page is called up.
Anyway, I've contacted AV vendors, but I'm worried about how
widespread this problem is. Google searchers turn up people puzzling
similar incidents starting three weeks ago. I'm wondering if IPers
can do a file search for "asdf.exe" and report back positive results?
Thanks
-dave
-------------------------------------
You are subscribed as updegrove@xxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
VP for Information Technology Phone (512) 232-9610
The University of Texas at Austin Fax (512) 232-9607
FAC 248 (Mail code: G9800) d.updegrove@xxxxxxxxxxxxxx
P.O. Box 7407 http://
web.austin.utexas.edu/dau2
Austin, TX 78713-7407
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/